Sr. PKI Engineer

About The Position

Requirements

• ADCS (Active Directory Certificate Services)
• Integrate PKI with Active Directory (AD forests/domains, ADCS, AIA/CDP locations, GPOs)
• Deploy, Configure, Implement, Install,
• Architecture & Design
• Key sizes, algorithms (RSA, ECC and PQC) encryption and hashing.
• Operations & Automation
• Security & Compliance
• ADCS, Active Directory Certification Services, PKI, Automation, Active directory
• 8+ years in Security Engineering/Identity Infrastructure, including 5+ years hands-on with Microsoft AD CS and enterprise Active Directory with managing CA infra
• Proven experience designing, deploying, and operating multi-tier Microsoft PKI (offline root, issuing CAs) in large/complex environments.
• Deep knowledge of X.509, CRL/OCSP, EKU/KU, SANs, key algorithms and sizes (RSA/ECC), hashing (SHA-2), and certificate validation paths.
• Strong PowerShell and Windows Server administration; GPOs, autoenrollment, templates, AIA/CDP configuration.
• Experience with 802.1X/EAP-TLS, TLS/mTLS, VPN auth, and device/user certificate issuance at scale.
• HSM experience (e.g., nCipher/Entrust/Thales) for CA key management.

Responsibilities

• Design and maintain enterprise PKI architectures (Root CA, Policy CA, Issuing CA) with offline/air gapped roots, secure key ceremonies, key usage, and issuance workflows and robust CRL/OCSP distribution.
• Engineer solutions for mutual TLS, 802.1X (wired/wireless/VPN), device identity, code signing, S/MIME, BitLocker, and disk/volume encryption certs.
• Implement HSM-backed key storage for CAs and code signing; lead key ceremonies, disaster recovery designs.
• Own certificate lifecycle management (issuance, renewal, revocation) including automation via Intune, GPO/Autoenrollment, SCEP/NDES, ACME, or MDM connectors.
• Manage CRL/OCSP publication, monitoring, and availability, design highly available, geo-distributed revocation endpoints.
• Implement scripting/automation (PowerShell, APIs) for bulk issuance, inventory, renewal, and drift detection. Enabling separation of duties for secure operation of PKI infrastructure
• CA backup, restore renewal and migration strategy
• Apply strong key management practices (FIPS 140-2/140-3), certificate assurance levels, and secure CA hardening baselines.
• Regularly perform PKI risk assessments, access reviews, and control testing (e.g., template permissions, EKU misuse, issuance constraints).
• Lead root cause analysis and incident response for certificate/PKI-related outages or security events.
• Maintain alignment with NIST, CAB Forum, Microsoft Security Baselines, and internal compliance frameworks (e.g., SOX, PCI, HIPAA, ISO 27001) as applicable.

Benefits

• Medical, dental & vision
• Critical Illness, Accident, and Hospital
• 401(k) Retirement Plan – Pre-tax and Roth post-tax contributions available
• Life Insurance (Voluntary Life & AD&D for the employee and dependents)
• Short and long-term disability
• Health Spending Account (HSA)
• Transportation benefits
• Employee Assistance Program
• Time Off/Leave (PTO, Vacation or Sick Leave)